Is It OK to Share HIV Status?

HIPAA regulations create confusion
for when physicians should disclose.

In regards to “HIPAA Tip: When It’s OK to Share,” posted on AAPC’s blog (www.aapc.com/blog/33801-hipaa-tip/), a reader asks:

Q: Because persons with HIV or AIDS are a protected class, does your comment, “As necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.” apply in the instance where you know that your patient is HIV+ and their partner is unaware that they and their newborn baby are potentially affected with HIV? The patient refuses to disclose. Does this rule on HIPAA apply for the physician to be able to disclose to the other parent of the baby?

A: Non-TPO [treatment, payment and healthcare operations] disclosures without authorization are generally prohibited under HIPAA. For the circumstances indicated, disclosure is theoretically possible; however, the legality of the disclosure must be analyzed not only under federal law, but also state law.

As a general matter, because of the preemption provision of HIPAA, a more restrictive state law precluding a particular disclosure would displace a provision of HIPAA that permits the particular disclosure. HIPAA expressly subordinates authority in this circumstance to a disclosure “authorized by law.” Because HIPAA is the federal law provision that regulates disclosures of health information and provides no definitive answer, look to state law for the legal authority to disclose. There may be a different answer to this question for each state.

Besides that general issue, it’s important to understand that, under HIPAA, disclosures are categorized into two basic categories: The first pertains to those that do not require authorization (disclosures necessary for TPO as discussed in the regulations at 45 CFR §164.506(c)). For these disclosures, either an acknowledgment by the patient of “receipt” of the covered entity’s Notice of Privacy Practices, or a good faith attempt at obtaining such acknowledgement, is sufficient to permit disclosure of PHI subject to the minimum necessary disclosure rule. The second category of disclosures requires an authorization, which is addressed in the regulations at §164.508.

Beyond these general provisions, HIPAA addresses disclosures that the covered entity must provide the patient with the opportunity to object (§164.510) and the non-TPO disclosures for which an authorization or opportunity to agree or object is not required (§164.512).

The specific type of disclosure addressed by the questioner and the article is one that is permitted for public health authorities as follows:

§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required.

* * *

(b) Standard: Uses and disclosures for public health activities.

(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:

* * *

(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation;

Because the questioner does not tell us if the contemplated disclosure is authorized by state law, or whether the entity contemplating the disclosure is engaged in a public health intervention or investigation, we cannot determine whether the contemplated disclosure is permissible. There are other options based on the specific facts presented, however.

Disclosure of the risk of infection in the baby presents no real problem unless the HIV-infected mother is NOT the person authorized to make treatment decisions for the child. Certainly, you can’t disclose anything to a newborn. As a result, the disclosure to the minor child must be made to the person who stands in the shoes of the child for HIPAA purposes – the person who is authorized to make treatment decisions for the child. The mother, who ostensibly also has the disease and who also rightfully makes treatment decisions on behalf of the newborn, is therefore permitted to receive information about the child’s HIV risk. Such a disclosure of the child’s risk to the mother would be (for HIPAA purposes) construed as a disclosure to the patient. There is no issue here as a result.

With a domestic partner, or even a legally married partner, disclosure is a bit trickier from a HIPAA perspective. I would not suggest reliance on the public health disclosure authority without more analysis of the specific facts. It is easier and safer to simply obtain authorization from the patient to disclose the patient’s HIV status to the partner. When the patient refuses to permit disclosure of the risk to a partner based on the patient’s HIV status, the disclosure is only permissible if authorized by law [for the purpose of notifying] such person as necessary in the conduct of a public health intervention or investigation. Use of the public health disclosure authority under Section 512 requires you to first identify the legal authority permitting the disclosure. To this end, I would recommend that the questioner get an opinion in their state from competent state health law counsel who can analyze the specific facts associated with the contemplated disclosure, as well as the relevant provisions of the applicable state law, before proceeding.

Mr. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO, CPMA has over 20 years of experience in healthcare coding and over sixteen years as a compliance expert, forensic coding expert and consultant. He has provided expert analysis and testimony on a wide range of coding and compliance issues in civil and criminal cases and his law practice concentrates exclusively on representation of healthcare providers in post-payment audits as well as with responding to HIPAA OCR issues. He has an extensive national speaking background and has been published in numerous national publications on a variety of coding, compliance and health law topics.

Mr. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO, CPMA has over 20 years of experience in healthcare coding and over sixteen years as a compliance expert, forensic coding expert and consultant. He has provided expert analysis and testimony on a wide range of coding and compliance issues in civil and criminal cases and his law practice concentrates exclusively on representation of healthcare providers in post-payment audits as well as with responding to HIPAA OCR issues. He has an extensive national speaking background and has been published in numerous national publications on a variety of coding, compliance and health law topics.